Millions of credit cards numbers exposed at CallPotential, “Where Cards Become Exposed”™

Where Cards Become Exposed ™

I don’t want to share the full details yet, so as to protect customer data, but I have tried multiple times to get the company to respond and they keep telling me that they “don’t store credit card numbers on file”. This is a multi-national company that unfortunately/seemingly doesn’t take credit card or user data seriously and doesn’t have a process in place for “when things go wrong”. No PR or press contact, no IT contact, etc. I will update here with the full details of the vulnerability discovery process when they finally do respond and patch the multiple flaws, but I suspect that it will take them a little while to figure it out since no one appears to have authority over there. In the mean time, this vulnerability requires NO AUTHENTICATION and ANYONE ON THE INTERNET CAN ACCESS MILLIONS OF FULL CREDIT CARD DETAILS/PII.

It is unlikely that I am first person to see these flaws. Probably the “blackhats” already know about them and have been exploiting the issues to steal PII and charge credit cards for some time. I suspect incident response will need to occur soon. See if you can figure out any of the vulnerabilities from this simple google dork []. If you figure it out, please don’t post the details, but kindly confirm that you have similar concerns once you see the issues. Finding vulnerabilities from a simple google dork that results in millions of credit cards being exposed is something any company should take very seriously. And even if you are just a medium-sized corp, you should take this time to put people in charge to deal with such serious situations.

If you don’t figure it out, stay tuned and I will walk you through the vulnerabilities after the company does realize they have a major problem on their hands.